SonarQube Server Reviews and Ratings

Use Cases and Deployment Scope

It is one of the components within the gateway to get products into production. We have over 700 projects and just over 20m lines of code.

We have been using it since 2018.

We focus currently on vulnerabilities with required gates and stepped options with temporary "get well plans". The more advanced teams are focusing on quality aspect and self-manage their maturity. But there is currently no hard lines for quality at this time except for team agreed upon minimum complexity and duplication standards on new code.

Regarding helm charts and kubernetes... this was long awaited and welcomed! Making our deployments easier. Concern was on testing and such, there was a mistep in the last 10.6.0 push which caused a slight concern, but SonarSource was very quick at getting 10.6.1 out and distributing the information.

The only other concern we had, that we hadn't experienced in that past (at least not like this), the change of JDKs at minor versions, scanners, linters, especially without backwards compatibility where pipelines must actively change from JDK 11 to JDK 17 might be tough for groups who have large amounts of pipelines. **Pipelines which support templates that inject SAST requirements help a bunch to reduce the scope of pipeline changes, but still caught us by surprise. This sort of change is expected at major versions, right... But still, very stable... this hiccup didn't sway our thoughts about the product overall.

We're still trying to figure out how we can reduce costs... although value is very tangible tangible to some, the significant overhead is often questioned. Prompts us into discussions that force decisions on which code bases to remove, even if temporarily, for code that is relatively static for long periods.

We really appreciate the engagement of the SonarSource Community site. We use it to stay informed and to get quick insights and responsive support. Great folks out there--appreciate them and the engagement and they represent SonarSource well.

Likelihood to Recommend

Updates of vulnerabilities and hotspots.

Use Cases and Deployment Scope

We use SonarQube to analyze our codebase, the main goals are detection of code smells, security vulnerabilities, and performance issues, also to measure our test coverage. It is part of the continuous integration process. We perform analysis in different languages like Java, JavaScript, Typescript, and Python. We are planning to include new ones, like scala and PHP.

Likelihood to Recommend

- The SonarQube analysis provides good suggestions to improve our project's health

- The default rules "Sonar Way" are pretty good and provide good insights

- I consider it a mandatory tool for any serious project.

- You can use offline tools like error-prone, spotbugs, or PMD, but Sonar analysis is more complete and it has more features.

Use Cases and Deployment Scope

We use SonarQube as part of the CICD pipeline running on Azure DevOps. Mostly .Net projects, and currently integrating with react native.

Likelihood to Recommend

SonarQube allows automatic static analysis of source code, looking for patterns with errors, bad practices or incidents.

In addition, it performs a calculation of the technical debt. It can be used in any scenario.

In order to use SonarQube, you need to install a server component, where the engine that performs the analysis and stores the results is located, and the analysis must be invoked in some way, which can be done with a client called SonarQube Scanner.

You can also integrate the analysis into the IDE you are using, with a plugin called SonarLint!.

Use Cases and Deployment Scope

SonarQube is the default choice for static analysis tools for all the projects in our organization. We use it extensively for examining code quality, detect code smells, detect security issues in code and identify complexities in code for every project. SonarQube is extremely useful since it works for almost all languages that we write our code in, including python and Java. The plugin based framework ensures extensibility and easy enhancement of functionality for new usecases.

Likelihood to Recommend

You should buy: If you need static analysis for multiple languages in your teams If static analysis integration with IDEs is an important requirement If you need custom quality gates for code quality analysis If highly detailed test coverage reports is important for your organization Do not buy if you cannot afford a dedicated team to manage the SonarQube instance for your organization

Use Cases and Deployment Scope

It's used as a quality gate for software development in the feature implementation, as well as a security barrier for bugs and good practices enforcer.

Likelihood to Recommend

Sonarqube does its job properly, it can improve in some points like usability and user experience, but in the end, it does everything you need well.

Use Cases and Deployment Scope

We are a product based Company where we are using SonarQube to keep an eye on the Code quality of our all the projects. It really reduced the workload of the reviewers and helped a lot to improved our code quality and efficiency of the project. It helped us a lot where we can define our own set of rules in all the languages. It has helped us to identify the static code which reduced our deployment efforts.

Likelihood to Recommend

As we were having multiple projects in multiple languages to support our product, A team of 20 developers was working with the various level of experience. To maintain the code integrity and its Sanity SonarQube helped a lot to place the quality gates, Some of the rules were pre-defined and required very minor tweaking. It really made life easy for the reviewers as it supports multiple integration with gitlab, confluence and Jenkins.

Use Cases and Deployment Scope

As service based and product based organisation we are dealing with variety of products and projects so in order to maintain the Code Quality and also improve the coding structure by following the suggestions given by SonarQube Analysis and also checking the Code Coverage so we get to know that our code has fully passed through the Sonar Analysis. As a part of DevOps team we integrate SonarQube checks in CI(continuous integration part) so its an part of continuous code quality and we have also created custom Quality Gates in order to prevent the false or unimproved code from going into any environments.

Likelihood to Recommend

When we have a big projects/products and also there are multiple tech stacks involved in project and also there's an dedicated team working of multiple tech stack is working so there we need to ensure the uniformity in coding structures and also its has support for many languages out there in market. Its not suitable for small projects where the user base, internet traffic is not much. because in that use case we have more headache on maintaining SonarQube servers

Use Cases and Deployment Scope

SonarQube is a freeware used for checking security vulnerabilities, inspection of automatic code quality checks and for CI/CD automation. In our organization we used this application as an integrated service plugin with Microsoft Azure's DevOps for CI/CD automation. It is very helpful application for inspection of applications developed using a variety of programming languages.

Likelihood to Recommend

Well suited:

- Easy to Integrate with different DevOps platforms for CI/CD automation

- To detect application security vulnerabilities

- For automation static code checks / analysis in order to detect bugs

- Can be used for variety of programming language applications

Improvement areas:

- Better documentation

- More programming language specific examples

Use Cases and Deployment Scope

We use SonarQube in the software department in our devOps pipeline to analyze source code for our application and provide metrics on issues that it identifies within the codebase. Basically we'll run SonarQube at various steps of code check ins and merges as one of many metricsto determine code quality and alert the teams to potential issues in recently checked in codde that may need to be triaged and addressed.

Likelihood to Recommend

Overall it's a nice check to incorporate into the devOps pipeline as another sanity check on the code that's being checked in and the codebase in general. It's good as a supplemental tool, but not if an org is looking for a complete view into code quality or security. Basically SonarQube is able to give you some flagged issues to look into and a metric that reflects the number of issues with the code it identifies, but still requires developers to take a second look and adequately triage which of the SonarQube issues are high impact and need to be addressed.

Use Cases and Deployment Scope

We use SonarQube to scan our source code whenever we push changes to github. SonarQube helps in identifying code smells and security issues in the code with detailed explanation and intuitive reports.

Likelihood to Recommend

Using docker, we were able to setup sonarqube and ran our first scan in about a day's time. It was quick to create different projects and linking source code to scan.

It clearly segregates issues under Reliability, Security and Maintainability buckets.

It also suggests solutions to fix issues with the code with up to date standards.